Delta’s Mobile Application’s “Wings Clipped”

A powerful reminder to the business community that it must take mobile application (“App”) privacy seriously was provided by California Attorney General Kamala D. Harris in the form a complaint filed against Delta Airlines, Inc. (“Delta”) last Thursday.

Attorney General Harris announced first ever legal action taken under the California Online Privacy Protection Act (“CalOPPA”), claiming Delta violated the statute by failing to conspicuously post a privacy policy accessible through the App within thirty (30) days of notification of noncompliance. CalOPPA “requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy.”

Lest companies take comfort that their website privacy policies can keep them out of trouble with respect to mobile applications, the complaint against Delta claims that its website privacy policy (i) does not mention the App (ii) is not reasonably accessible to consumers of the App and (iii) does not disclose several types of personal information that the App collects but the website does not. Drawing inferences from these allegations, it is unlikely that companies can satisfy CalOPPA’s mobile application privacy requirements through a website privacy policy.

Meaningful penalties can attach to violations of CalOPPA, as Attorney General Harris’ suit seeks to enjoin Delta from distributing the App without a privacy policy that accurately describes all types of personal information collected, and also seeks fines of up to $2,500 for each violation.

The Attorney General’s announcement additionally notes that “if developers do not comply with their stated privacy policies, they can be prosecuted under California’s Unfair Competition Law and/or False Advertising Law.”

California is ramping up efforts to enforce privacy laws, in particular with the creation of a Privacy Enforcement and Protection Unit earlier this year that will enforce laws related to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. A proactive approach to privacy practices by businesses with a national presence is likely to mitigate litigation risk in California (and otherwise).

To that end, agreements entered into earlier this year with the California Attorney General, first by Amazon.com, Apple, Google and three other tech giants, and then by Facebook, appear to have served the companies well in steering clear of trouble in California, a state acting as a leader in protection of consumer privacy.